GOLD WESTMORE
Objectives
Tools
SUMMARY
GOLD WESTMORE is the name used by the CTU to track the threat group responsible for deploying the LockerGoga malware in post intrusion ransomware attacks. LockerGoga was linked to an attack on an engineering consulting firm in January 2019, and a renewable energy firm in March 2019. While the initial infection vector in these incidents has not been confirmed, the lack of any lateral expansion capability within the LockerGoga malware suggests that GOLD WESTMORE has wide-scale access to victims' networks prior to deploying the ransomware.
GOLD WESTMORE makes extensive use of the Cobalt Strike and Metasploit tools for post-exploitation activity. The group will obtain valid credentials for lateral movement, and will use Active Directory Group Policy Objects for distribution of the LockerGoga ransomware to target hosts.
Ransom payments are through bitcoin in order to secure a decryption tool. The CTU has limited direct visibility as to whether paying does secure the decryption tool, or the efficacy of that tool once it has been obtained.
Contactez-nous
Que votre organisation ait besoin d’une assistance immédiate ou que vous souhaitiez discuter de vos besoins en matière de préparation aux incidents, de réponse et de test, contactez-nous directement ci-dessous.